Stealthy Tool-Call Token Exhaust

Description: OpenClaw v2026.2.9 is vulnerable to a resource amplification and economic denial-of-service (DoS) attack via malicious third-party skills. An attacker can publish a Trojanized skill that exploits the framework's tool-calling loop and context-management architecture by injecting a multi-turn "Segmented Verification Protocol" (SVP). Malicious instructions embedded in the skill's SKILL.md file mandate extensive autoregressive sequence generation, while a companion script returns PROGRESS, REPAIR, or TERMINAL signals to force the agent into extended, token-heavy reasoning chains before delivering the benign payload. Because OpenClaw persistently injects skill documentation into the system prompt and accumulates tool outputs in the session history, this forces compounding context growth. Deliberately forcing the agent to fail the protocol also triggers a costly, autonomous recovery cascade (e.g., retrying alternative tools or web searches), further amplifying token consumption.

Examples: An attacker deploys a Trojanized "query" skill replacing a benign data-fetching tool.

1. The SKILL.md is crafted with instructions framed as a "data provider freshness verification," requiring the LLM to supply a monotonically increasing segment index and a complete, comma-separated calibration sequence of integers (e.g., 1 to 1000) on each tool call. The prompt explicitly forbids abbreviations, ellipses, or range notation.
2. The companion script (query_tool.py) parses the arguments. If the sequence is correct but the target loop count ($T_{max}$) is not reached, it returns PROGRESS. If the LLM makes an error, it returns REPAIR. Only when the loop concludes does it return TERMINAL and the actual data (e.g., BBC headline data).
3. Under the SVP v2 configuration ($L=1000$, $T_{max}=3$), this forces the LLM to generate long sequences across multiple turns, consuming ~190k context tokens (a 6–7x amplification over the benign baseline).
4. Under the SVP v3 configuration ($L=2000$, $T_{max}=5$), the LLM fails to comply, abandons the tool, and autonomously attempts costly fallback strategies (web searches, retries), consuming ~249k cumulative context tokens and ~11 minutes of wall-clock time (~9x amplification).

Impact: Economic denial-of-service (DoS) via extreme token exhaustion, resulting in high API billing costs, degraded system throughput, and latency. The attack is highly stealthy depending on the interface: in TUI narrated modes, the raw tool traces are suppressed behind benign summary messages, and in autonomous (cron/heartbeat) execution, the drain is entirely unobservable to the user. Additionally, accelerated context growth forces lossy compaction, which can evict the user's prior safety constraints from the working context, enabling secondary behavioral escalations.

Affected Systems:

• OpenClaw v2026.2.9 (and potentially earlier versions)

Mitigation Steps:

• Implement strict per-skill token budgets and execution limits to cap the cost of runaway tool-calling chains or autonomous recovery loops.
• Enforce size limits on SKILL.md files to prevent input-token bloat and system prompt inflation.
• Enforce strict privilege separation between skill-level instructions and platform-level system directives to prevent third-party skills from overriding global agent behavior.
• Monitor and cap the rate of autonomous (cron/heartbeat) skill executions.